SAN FRANCISCO — Popular apps that help people measure their heart rate, track their menstrual cycle or search for a home are sending some of that sensitive information to Facebook within seconds of its being recorded, The Wall Street Journal reported on Friday.
It is the latest in a series of recent examples of tech companies sharing personal data without the explicit permission of its users, adding to mounting privacy concerns and spurring a movement to push tech firms to be more transparent and forthcoming with users.
The Journal reported that at least 11 popular smartphone apps, with tens of millions of downloads between them, have been sharing sensitive data with Facebook, even if the user has no connection to Facebook.
The apps are sharing the data so they can use a Facebook analytics tool that allows developers to measure how people use their apps and potentially target them with personalized ads, often without any prominent or specific disclosure, the newspaper said.
The apps included Flo Period & Ovulation Tracker, which claims 25 million active users, the Journal reported. Initially, the app told the newspaper that it doesn't send "critical user data" to Facebook, but when the Journal found that menstruation information was sent to Facebook with a unique advertising identifier that can be matched to a device or profile, Flo said it would "substantially limit" the use of external analytics systems and conduct a privacy audit.
Flo said in an additional statement on Friday that it used Facebook's analytics tool "for internal analytics purposes only: to study user behavior, provide users with the best possible experience and develop a product." Usage of analytical systems is a common practice for all app developers, the company said.
New York Gov. Andrew Cuomo said in response to the report that he was directing state agencies to investigate what he called an "invasion of consumer privacy" and asking federal authorities to help end the practice.
"This practice, which in some cases clearly violates Facebook's own business terms, is an outrageous abuse of privacy," Cuomo said in a statement.
There is no evidence that Facebook intended to collect the sensitive data. Rather, the apps in question were using a set of tools, known as a software developer kit, that was produced by Facebook and used by software engineers. Facebook's SDK is among the most widely used such kits.
Facebook said it did not seek out the personal information, and that it deletes such data in cases where it detects it.
"For these specific apps, we will reach out to them and notify them that the data they're sharing can be perceived as sensitive by their users so they should stop sending it. Again, should they refuse to comply, we may take further action where warranted," Facebook said in a statement.